Add support for temporary URL for Swift driver
Signed-off-by: Sylvain Baubeau <sbaubeau@redhat.com>
This commit is contained in:
		
							parent
							
								
									7759153f2f
								
							
						
					
					
						commit
						7c3281861f
					
				
					 3 changed files with 234 additions and 46 deletions
				
			
		|  | @ -93,6 +93,16 @@ An implementation of the `storagedriver.StorageDriver` interface that uses [Open | ||||||
|     </p> |     </p> | ||||||
|     </td> |     </td> | ||||||
| </tr> | </tr> | ||||||
|  | <tr> | ||||||
|  |     <td> | ||||||
|  |     <code>trustid</code> | ||||||
|  |     </td> | ||||||
|  |     <td> | ||||||
|  |     <p> | ||||||
|  |     Optionally, your OpenStack trust id for Identity v3 API. | ||||||
|  |     </p> | ||||||
|  |     </td> | ||||||
|  | </tr> | ||||||
| <tr> | <tr> | ||||||
|     <td> |     <td> | ||||||
|     <code>insecureskipverify</code> |     <code>insecureskipverify</code> | ||||||
|  | @ -133,4 +143,58 @@ An implementation of the `storagedriver.StorageDriver` interface that uses [Open | ||||||
|     </p> |     </p> | ||||||
|     </td> |     </td> | ||||||
| </tr> | </tr> | ||||||
|  | <tr> | ||||||
|  |     <td> | ||||||
|  |     <code>secretkey</code> | ||||||
|  |     </td> | ||||||
|  |     <td> | ||||||
|  |     <p> | ||||||
|  |     Optionally, the secret key used to generate temporary URLs.</p> | ||||||
|  |     </p> | ||||||
|  |     </td> | ||||||
|  | </tr> | ||||||
|  | <tr> | ||||||
|  |     <td> | ||||||
|  |     <code>accesskey</code> | ||||||
|  |     </td> | ||||||
|  |     <td> | ||||||
|  |     <p> | ||||||
|  |     Optionally, the access key to generate temporary URLs. It is used by HP Cloud Object Storage in addition to the `secretkey` parameter.</p> | ||||||
|  |     </p> | ||||||
|  |     </td> | ||||||
|  | </tr> | ||||||
|  | </table> | ||||||
|  | 
 | ||||||
|  | The features supported by the Swift server are queried by requesting the `/info` URL on the server. In case the administrator | ||||||
|  | disabled that feature, the configuration file can specify the following optional parameters : | ||||||
|  | 
 | ||||||
|  | <table> | ||||||
|  | <tr> | ||||||
|  |     <td> | ||||||
|  |     <code>tempurlcontainerkey</code> | ||||||
|  |     </td> | ||||||
|  |     <td> | ||||||
|  |     <p> | ||||||
|  |     Specify whether to use container secret key to generate temporary URL when set to true, or the account secret key otherwise.</p> | ||||||
|  |     </p> | ||||||
|  |     </td> | ||||||
|  | </tr> | ||||||
|  | <tr> | ||||||
|  |     <td> | ||||||
|  |     <code>tempurlmethods</code> | ||||||
|  |     </td> | ||||||
|  |     <td> | ||||||
|  |     <p> | ||||||
|  |     Array of HTTP methods that are supported by the TempURL middleware of the Swift server. Example:</p> | ||||||
|  |     <code> | ||||||
|  |     - tempurlmethods: | ||||||
|  |       - GET | ||||||
|  |       - PUT | ||||||
|  |       - HEAD | ||||||
|  |       - POST | ||||||
|  |       - DELETE | ||||||
|  |     </code> | ||||||
|  |     </p> | ||||||
|  |     </td> | ||||||
|  | </tr> | ||||||
| </table> | </table> | ||||||
|  |  | ||||||
|  | @ -7,9 +7,6 @@ | ||||||
| // It supports both TempAuth authentication and Keystone authentication | // It supports both TempAuth authentication and Keystone authentication | ||||||
| // (up to version 3). | // (up to version 3). | ||||||
| // | // | ||||||
| // Since Swift has no concept of directories (directories are an abstration), |  | ||||||
| // empty objects are created with the MIME type application/vnd.swift.directory. |  | ||||||
| // |  | ||||||
| // As Swift has a limit on the size of a single uploaded object (by default | // As Swift has a limit on the size of a single uploaded object (by default | ||||||
| // this is 5GB), the driver makes use of the Swift Large Object Support | // this is 5GB), the driver makes use of the Swift Large Object Support | ||||||
| // (http://docs.openstack.org/developer/swift/overview_large_objects.html). | // (http://docs.openstack.org/developer/swift/overview_large_objects.html). | ||||||
|  | @ -24,12 +21,11 @@ import ( | ||||||
| 	"crypto/sha1" | 	"crypto/sha1" | ||||||
| 	"crypto/tls" | 	"crypto/tls" | ||||||
| 	"encoding/hex" | 	"encoding/hex" | ||||||
| 	"encoding/json" |  | ||||||
| 	"fmt" | 	"fmt" | ||||||
| 	"io" | 	"io" | ||||||
| 	"io/ioutil" | 	"io/ioutil" | ||||||
| 	"net/http" | 	"net/http" | ||||||
| 	gopath "path" | 	"net/url" | ||||||
| 	"strconv" | 	"strconv" | ||||||
| 	"strings" | 	"strings" | ||||||
| 	"time" | 	"time" | ||||||
|  | @ -67,9 +63,21 @@ type Parameters struct { | ||||||
| 	Prefix              string | 	Prefix              string | ||||||
| 	InsecureSkipVerify  bool | 	InsecureSkipVerify  bool | ||||||
| 	ChunkSize           int | 	ChunkSize           int | ||||||
|  | 	SecretKey           string | ||||||
|  | 	AccessKey           string | ||||||
|  | 	TempURLContainerKey bool | ||||||
|  | 	TempURLMethods      []string | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
| type swiftInfo map[string]interface{} | // swiftInfo maps the JSON structure returned by Swift /info endpoint | ||||||
|  | type swiftInfo struct { | ||||||
|  | 	Swift struct { | ||||||
|  | 		Version string `mapstructure:"version"` | ||||||
|  | 	} | ||||||
|  | 	Tempurl struct { | ||||||
|  | 		Methods []string `mapstructure:"methods"` | ||||||
|  | 	} | ||||||
|  | } | ||||||
| 
 | 
 | ||||||
| func init() { | func init() { | ||||||
| 	factory.Register(driverName, &swiftDriverFactory{}) | 	factory.Register(driverName, &swiftDriverFactory{}) | ||||||
|  | @ -88,6 +96,10 @@ type driver struct { | ||||||
| 	Prefix              string | 	Prefix              string | ||||||
| 	BulkDeleteSupport   bool | 	BulkDeleteSupport   bool | ||||||
| 	ChunkSize           int | 	ChunkSize           int | ||||||
|  | 	SecretKey           string | ||||||
|  | 	AccessKey           string | ||||||
|  | 	TempURLContainerKey bool | ||||||
|  | 	TempURLMethods      []string | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
| type baseEmbed struct { | type baseEmbed struct { | ||||||
|  | @ -179,8 +191,62 @@ func New(params Parameters) (*Driver, error) { | ||||||
| 		Conn:           ct, | 		Conn:           ct, | ||||||
| 		Container:      params.Container, | 		Container:      params.Container, | ||||||
| 		Prefix:         params.Prefix, | 		Prefix:         params.Prefix, | ||||||
| 		BulkDeleteSupport: detectBulkDelete(params.AuthURL), |  | ||||||
| 		ChunkSize:      params.ChunkSize, | 		ChunkSize:      params.ChunkSize, | ||||||
|  | 		TempURLMethods: make([]string, 0), | ||||||
|  | 		AccessKey:      params.AccessKey, | ||||||
|  | 	} | ||||||
|  | 
 | ||||||
|  | 	info := swiftInfo{} | ||||||
|  | 	if config, err := d.Conn.QueryInfo(); err == nil { | ||||||
|  | 		_, d.BulkDeleteSupport = config["bulk_delete"] | ||||||
|  | 
 | ||||||
|  | 		if err := mapstructure.Decode(config, &info); err == nil { | ||||||
|  | 			d.TempURLContainerKey = info.Swift.Version >= "2.3.0" | ||||||
|  | 			d.TempURLMethods = info.Tempurl.Methods | ||||||
|  | 		} | ||||||
|  | 	} else { | ||||||
|  | 		d.TempURLContainerKey = params.TempURLContainerKey | ||||||
|  | 		d.TempURLMethods = params.TempURLMethods | ||||||
|  | 	} | ||||||
|  | 
 | ||||||
|  | 	if len(d.TempURLMethods) > 0 { | ||||||
|  | 		secretKey := params.SecretKey | ||||||
|  | 		if secretKey == "" { | ||||||
|  | 			secretKey, _ = generateSecret() | ||||||
|  | 		} | ||||||
|  | 
 | ||||||
|  | 		// Since Swift 2.2.2, we can now set secret keys on containers | ||||||
|  | 		// in addition to the account secret keys. Use them in preference. | ||||||
|  | 		if d.TempURLContainerKey { | ||||||
|  | 			_, containerHeaders, err := d.Conn.Container(d.Container) | ||||||
|  | 			if err != nil { | ||||||
|  | 				return nil, fmt.Errorf("Failed to fetch container info %s (%s)", d.Container, err) | ||||||
|  | 			} | ||||||
|  | 
 | ||||||
|  | 			d.SecretKey = containerHeaders["X-Container-Meta-Temp-Url-Key"] | ||||||
|  | 			if d.SecretKey == "" || (params.SecretKey != "" && d.SecretKey != params.SecretKey) { | ||||||
|  | 				m := swift.Metadata{} | ||||||
|  | 				m["temp-url-key"] = secretKey | ||||||
|  | 				if d.Conn.ContainerUpdate(d.Container, m.ContainerHeaders()); err == nil { | ||||||
|  | 					d.SecretKey = secretKey | ||||||
|  | 				} | ||||||
|  | 			} | ||||||
|  | 		} else { | ||||||
|  | 			// Use the account secret key | ||||||
|  | 			_, accountHeaders, err := d.Conn.Account() | ||||||
|  | 			if err != nil { | ||||||
|  | 				return nil, fmt.Errorf("Failed to fetch account info (%s)", err) | ||||||
|  | 			} | ||||||
|  | 
 | ||||||
|  | 			d.SecretKey = accountHeaders["X-Account-Meta-Temp-Url-Key"] | ||||||
|  | 			if d.SecretKey == "" || (params.SecretKey != "" && d.SecretKey != params.SecretKey) { | ||||||
|  | 				m := swift.Metadata{} | ||||||
|  | 				m["temp-url-key"] = secretKey | ||||||
|  | 				if err := d.Conn.AccountUpdate(m.AccountHeaders()); err == nil { | ||||||
|  | 					d.SecretKey = secretKey | ||||||
|  | 				} | ||||||
|  | 			} | ||||||
|  | 		} | ||||||
| 	} | 	} | ||||||
| 
 | 
 | ||||||
| 	return &Driver{ | 	return &Driver{ | ||||||
|  | @ -590,11 +656,60 @@ func (d *driver) Delete(ctx context.Context, path string) error { | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
| // URLFor returns a URL which may be used to retrieve the content stored at the given path. | // URLFor returns a URL which may be used to retrieve the content stored at the given path. | ||||||
| // May return an UnsupportedMethodErr in certain StorageDriver implementations. |  | ||||||
| func (d *driver) URLFor(ctx context.Context, path string, options map[string]interface{}) (string, error) { | func (d *driver) URLFor(ctx context.Context, path string, options map[string]interface{}) (string, error) { | ||||||
|  | 	if d.SecretKey == "" { | ||||||
| 		return "", storagedriver.ErrUnsupportedMethod | 		return "", storagedriver.ErrUnsupportedMethod | ||||||
| 	} | 	} | ||||||
| 
 | 
 | ||||||
|  | 	methodString := "GET" | ||||||
|  | 	method, ok := options["method"] | ||||||
|  | 	if ok { | ||||||
|  | 		if methodString, ok = method.(string); !ok { | ||||||
|  | 			return "", storagedriver.ErrUnsupportedMethod | ||||||
|  | 		} | ||||||
|  | 	} | ||||||
|  | 
 | ||||||
|  | 	if methodString == "HEAD" { | ||||||
|  | 		// A "HEAD" request on a temporary URL is allowed if the | ||||||
|  | 		// signature was generated with "GET", "POST" or "PUT" | ||||||
|  | 		methodString = "GET" | ||||||
|  | 	} | ||||||
|  | 
 | ||||||
|  | 	supported := false | ||||||
|  | 	for _, method := range d.TempURLMethods { | ||||||
|  | 		if method == methodString { | ||||||
|  | 			supported = true | ||||||
|  | 			break | ||||||
|  | 		} | ||||||
|  | 	} | ||||||
|  | 
 | ||||||
|  | 	if !supported { | ||||||
|  | 		return "", storagedriver.ErrUnsupportedMethod | ||||||
|  | 	} | ||||||
|  | 
 | ||||||
|  | 	expiresTime := time.Now().Add(20 * time.Minute) | ||||||
|  | 	expires, ok := options["expiry"] | ||||||
|  | 	if ok { | ||||||
|  | 		et, ok := expires.(time.Time) | ||||||
|  | 		if ok { | ||||||
|  | 			expiresTime = et | ||||||
|  | 		} | ||||||
|  | 	} | ||||||
|  | 
 | ||||||
|  | 	tempURL := d.Conn.ObjectTempUrl(d.Container, d.swiftPath(path), d.SecretKey, methodString, expiresTime) | ||||||
|  | 
 | ||||||
|  | 	if d.AccessKey != "" { | ||||||
|  | 		// On HP Cloud, the signature must be in the form of tenant_id:access_key:signature | ||||||
|  | 		url, _ := url.Parse(tempURL) | ||||||
|  | 		query := url.Query() | ||||||
|  | 		query.Set("temp_url_sig", fmt.Sprintf("%s:%s:%s", d.Conn.TenantId, d.AccessKey, query.Get("temp_url_sig"))) | ||||||
|  | 		url.RawQuery = query.Encode() | ||||||
|  | 		tempURL = url.String() | ||||||
|  | 	} | ||||||
|  | 
 | ||||||
|  | 	return tempURL, nil | ||||||
|  | } | ||||||
|  | 
 | ||||||
| func (d *driver) swiftPath(path string) string { | func (d *driver) swiftPath(path string) string { | ||||||
| 	return strings.TrimLeft(strings.TrimRight(d.Prefix+"/files"+path, "/"), "/") | 	return strings.TrimLeft(strings.TrimRight(d.Prefix+"/files"+path, "/"), "/") | ||||||
| } | } | ||||||
|  | @ -640,19 +755,6 @@ func (d *driver) createManifest(path string, segments string) error { | ||||||
| 	return nil | 	return nil | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
| func detectBulkDelete(authURL string) (bulkDelete bool) { |  | ||||||
| 	resp, err := http.Get(gopath.Join(authURL, "..", "..") + "/info") |  | ||||||
| 	if err == nil { |  | ||||||
| 		defer resp.Body.Close() |  | ||||||
| 		decoder := json.NewDecoder(resp.Body) |  | ||||||
| 		var infos swiftInfo |  | ||||||
| 		if decoder.Decode(&infos) == nil { |  | ||||||
| 			_, bulkDelete = infos["bulk_delete"] |  | ||||||
| 		} |  | ||||||
| 	} |  | ||||||
| 	return |  | ||||||
| } |  | ||||||
| 
 |  | ||||||
| func parseManifest(manifest string) (container string, prefix string) { | func parseManifest(manifest string) (container string, prefix string) { | ||||||
| 	components := strings.SplitN(manifest, "/", 2) | 	components := strings.SplitN(manifest, "/", 2) | ||||||
| 	container = components[0] | 	container = components[0] | ||||||
|  | @ -661,3 +763,11 @@ func parseManifest(manifest string) (container string, prefix string) { | ||||||
| 	} | 	} | ||||||
| 	return container, prefix | 	return container, prefix | ||||||
| } | } | ||||||
|  | 
 | ||||||
|  | func generateSecret() (string, error) { | ||||||
|  | 	var secretBytes [32]byte | ||||||
|  | 	if _, err := rand.Read(secretBytes[:]); err != nil { | ||||||
|  | 		return "", fmt.Errorf("could not generate random bytes for Swift secret key: %v", err) | ||||||
|  | 	} | ||||||
|  | 	return hex.EncodeToString(secretBytes[:]), nil | ||||||
|  | } | ||||||
|  |  | ||||||
|  | @ -4,6 +4,7 @@ import ( | ||||||
| 	"io/ioutil" | 	"io/ioutil" | ||||||
| 	"os" | 	"os" | ||||||
| 	"strconv" | 	"strconv" | ||||||
|  | 	"strings" | ||||||
| 	"testing" | 	"testing" | ||||||
| 
 | 
 | ||||||
| 	"github.com/ncw/swift/swifttest" | 	"github.com/ncw/swift/swifttest" | ||||||
|  | @ -33,6 +34,11 @@ func init() { | ||||||
| 		container          string | 		container          string | ||||||
| 		region             string | 		region             string | ||||||
| 		insecureSkipVerify bool | 		insecureSkipVerify bool | ||||||
|  | 		secretKey          string | ||||||
|  | 		accessKey          string | ||||||
|  | 		containerKey       bool | ||||||
|  | 		tempURLMethods     []string | ||||||
|  | 
 | ||||||
| 		swiftServer *swifttest.SwiftServer | 		swiftServer *swifttest.SwiftServer | ||||||
| 		err         error | 		err         error | ||||||
| 	) | 	) | ||||||
|  | @ -47,6 +53,10 @@ func init() { | ||||||
| 	container = os.Getenv("SWIFT_CONTAINER_NAME") | 	container = os.Getenv("SWIFT_CONTAINER_NAME") | ||||||
| 	region = os.Getenv("SWIFT_REGION_NAME") | 	region = os.Getenv("SWIFT_REGION_NAME") | ||||||
| 	insecureSkipVerify, _ = strconv.ParseBool(os.Getenv("SWIFT_INSECURESKIPVERIFY")) | 	insecureSkipVerify, _ = strconv.ParseBool(os.Getenv("SWIFT_INSECURESKIPVERIFY")) | ||||||
|  | 	secretKey = os.Getenv("SWIFT_SECRET_KEY") | ||||||
|  | 	accessKey = os.Getenv("SWIFT_ACCESS_KEY") | ||||||
|  | 	containerKey, _ = strconv.ParseBool(os.Getenv("SWIFT_TEMPURL_CONTAINERKEY")) | ||||||
|  | 	tempURLMethods = strings.Split(os.Getenv("SWIFT_TEMPURL_METHODS"), ",") | ||||||
| 
 | 
 | ||||||
| 	if username == "" || password == "" || authURL == "" || container == "" { | 	if username == "" || password == "" || authURL == "" || container == "" { | ||||||
| 		if swiftServer, err = swifttest.NewSwiftServer("localhost"); err != nil { | 		if swiftServer, err = swifttest.NewSwiftServer("localhost"); err != nil { | ||||||
|  | @ -79,6 +89,10 @@ func init() { | ||||||
| 			root, | 			root, | ||||||
| 			insecureSkipVerify, | 			insecureSkipVerify, | ||||||
| 			defaultChunkSize, | 			defaultChunkSize, | ||||||
|  | 			secretKey, | ||||||
|  | 			accessKey, | ||||||
|  | 			containerKey, | ||||||
|  | 			tempURLMethods, | ||||||
| 		} | 		} | ||||||
| 
 | 
 | ||||||
| 		return New(parameters) | 		return New(parameters) | ||||||
|  |  | ||||||
		Loading…
	
	Add table
		Add a link
		
	
		Reference in a new issue